[jose] HPKE Single Shot for Compact JWE
Orie Steele <orie@transmute.industries> Sun, 11 February 2024 13:58 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D593C14F684 for <jose@ietfa.amsl.com>; Sun, 11 Feb 2024 05:58:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.085
X-Spam-Level:
X-Spam-Status: No, score=-2.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2TZmVr_c-Qqy for <jose@ietfa.amsl.com>; Sun, 11 Feb 2024 05:58:17 -0800 (PST)
Received: from mail-pj1-x102d.google.com (mail-pj1-x102d.google.com [IPv6:2607:f8b0:4864:20::102d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 303D6C14F61C for <jose@ietf.org>; Sun, 11 Feb 2024 05:58:16 -0800 (PST)
Received: by mail-pj1-x102d.google.com with SMTP id 98e67ed59e1d1-290b37bb7deso1751851a91.0 for <jose@ietf.org>; Sun, 11 Feb 2024 05:58:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1707659896; x=1708264696; darn=ietf.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=bo+zkk5F3HtCJPFGS7Lh4D7srvw30kNnRtRQpemi0BY=; b=G4FLskPxpA/nin22vRBOETcxHZDbk0Ht+PKjk/mMRiZtOKL+85k9yNKPbEjG/nLDBj Xs/30oad/yurDlmRx4NnzVua0PnyN//OtPUg/karfLe5RggUslxS6/QhEa1w4xVhHlKS nckUSW10wIU8sE0kW5lciBAX2/PE1erIeqwpS16uvZNAWxZ9EqPM0Lghzk0wP7iNFCux cdYwfNk8iLigTuosZ3AmfooJFpmBLhr/WkU5c3Y316VQKb9mWFqG1kIzb8VbJ5xe6SP7 9hRjLJzTZBXV4U/md2BmVi02eopPaJT5Bq3k0rE8cfMKmwD6kNiveAsmtB3/2oRIhlsx TN0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707659896; x=1708264696; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=bo+zkk5F3HtCJPFGS7Lh4D7srvw30kNnRtRQpemi0BY=; b=REiOTMSYZ6gleCI52TcZge+X+WjF0FLPbeD3Fe85Q0CbVGjd+cgQ9V5yg/goCjcPEG nYRnkLfOxrB9ZEHuPTOi2JRqtLZmuX6N+JR8zE8g1HGl1LJYdzy70DBysZmb+P9Qqw6F lLxdOFPkVriw9v747XZWGS0w8mVREyODtpFd1eWIUb7quxokAaMfL5AEUuBhlaQELLVI JRda5JDFXc4ud+I+Sx268eTNWQnSp15ef2Y05A6sstb0QqsxH4LIz8wSNrd7mir84IVg l18qXz3UW3lBEnysQjTlsZ+fFkW8PgmplLmR9zN4BfR3LP6QvbWvqsSrUGCFdgg5s00b fPtQ==
X-Gm-Message-State: AOJu0Yzm0kV+vfbehRuxDLoHVy7ZOtQkrlSHUy2y9yNXo6muCe5vG56R CST+NwcwZZMwskr7SrnIsSr+V1uG+vB2DjiVn8ngc3oA6rNBN9w+QTpfQjdCnAeZKmJpO2IbnCk F/gxmsmVxIrLGMxnOUNg+nUhHaf2SWKB6RzYThoFwaOBY1MmAxL8=
X-Google-Smtp-Source: AGHT+IE+yPtxqxEfnA8OsreVOYCK93ClL2HApgt1iqy8MsJc2qbySfhMqZXkkLZnNimZipgOVrgdA0WRIr7CXTik5uk=
X-Received: by 2002:a17:90a:98a:b0:297:935:aeda with SMTP id 10-20020a17090a098a00b002970935aedamr2615096pjo.29.1707659895843; Sun, 11 Feb 2024 05:58:15 -0800 (PST)
MIME-Version: 1.0
From: Orie Steele <orie@transmute.industries>
Date: Sun, 11 Feb 2024 07:58:04 -0600
Message-ID: <CAN8C-_LCB33RocisCO21_kgt=vUN3VterUf88HS+mswn4w1fUQ@mail.gmail.com>
To: JOSE WG <jose@ietf.org>
Cc: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="0000000000007d436806111b8d4c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/RWC6jxLypqSsp5ZXw7yf7CgSFh0>
Subject: [jose] HPKE Single Shot for Compact JWE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Feb 2024 13:58:21 -0000
Section 5 defines - https://datatracker.ietf.org/doc/html/rfc9180#section-5.1 : def SetupBaseS(pkR, info): shared_secret, enc = Encap(pkR) return enc, KeyScheduleS(mode_base, shared_secret, info, default_psk, default_psk_id) def SetupBaseR(enc, skR, info): shared_secret = Decap(enc, skR) return KeyScheduleR(mode_base, shared_secret, info, default_psk, default_psk_id) Section 6 of defines "Single-Shot" APIs for HPKE - https://datatracker.ietf.org/doc/html/rfc9180#name-single-shot-apis : def Seal<MODE>(pkR, info, aad, pt, ...): enc, ctx = Setup<MODE>S(pkR, info, ...) ct = ctx.Seal(aad, pt) return enc, ct def Open<MODE>(enc, skR, info, aad, ct, ...): ctx = Setup<MODE>R(enc, skR, info, ...) return ctx.Open(aad, ct) With "Single-Shot", you cannot place the "encapsulated key (enc)" in JWE Protected Headers. Given the original design of JWE in https://datatracker.ietf.org/doc/html/rfc7516#section-3.1 Compact: BASE64URL(UTF8(JWE Protected Header)) || '.' || BASE64URL(JWE Encrypted Key) || '.' || BASE64URL(JWE Initialization Vector) || '.' || BASE64URL(JWE Ciphertext) || '.' || BASE64URL(JWE Authentication Tag) JSON: "protected", with the value BASE64URL(UTF8(JWE Protected Header)) "unprotected", with the value JWE Shared Unprotected Header "header", with the value JWE Per-Recipient Unprotected Header "encrypted_key", with the value BASE64URL(JWE Encrypted Key) "iv", with the value BASE64URL(JWE Initialization Vector) "ciphertext", with the value BASE64URL(JWE Ciphertext) "tag", with the value BASE64URL(JWE Authentication Tag) "aad", with the value BASE64URL(JWE AAD) In https://mailarchive.ietf.org/arch/msg/jose/0ODZ_2TTjrOOwv1JwvYuv0OuZ0s/ Ilari proposed, concatenating "HPKE enc" with "HPKE ct", and calling the result "JWE Ciphertext". This would enable "HPKE Single Shot", but at a cost of needing to slice the "JWE Ciphertext" string to recover enc (which will change in size with use of different kems). In draft-rha-jose-hpke-encrypt current design for single recipient JWE messages, we defined a new JWA approach called "Integrated Encryption", which leverages HPKE to encrypt a plaintext message to a single recipient, without the need to include: JWE Encrypted Key, JWE Initialization Vector, JWE Authentication Tag. For example: eyJhbGciOiJIUEtFLUJhc2UtUDI1Ni1TSEEyNTYtQUVTMTI4R0NNIiwiZXBrIjp7Imt0eSI6IkVLIiwiZWsiOiJCQ0lrQ2Nka1hHS2VhaEhpMFdFRnFMbm9VREFtdnpJd0t2SVF3TFNXWjVpTHc3ZDFSMXdDRTRpVUVyV1NKZnlueGwtTmltQVdhSkNfWFVjY2lwOEhZeTAifX0 ... vtwAfUY4SP2loyqJDht2r824r1a0tTi-0Cr_u0GunXCMxvKbZQaZFFjEMBTffJRf6FBaJMao2Trm5QZBxLr_w7f75ZPA99VdY7YMwRNkfftRW97BPEn0x0SM3inNaESQGuPqNZM . It does this, by using the "epk" parameter of the JWE Protected Header to transport the "HPKE enc". This means that in order for a recipient to decrypt a message, they must pass the JWE Protected Header to HPKE Open as aad. I have adjusted the pythonish examples from HPKE to make this clearer to readers: def Seal<MODE>(pkR, info, aad="JWE Protected Header", pt, ...): enc, ctx = Setup<MODE>S(pkR, info, ...) ct = ctx.Seal(aad, pt) return enc, ct // desirable, but not possible because "enc" was not in "JWE Protected Header". /// enc = decode(decode("JWE Protected Header").epk.ek) [enc, ct] = slice("JWE Ciphertext") validate_enc(enc) // because in DHKems enc is a public key made of points on a curve def Open<MODE>(enc=enc, skR, info, aad="JWE Protected Header", ct=ct, ...): ctx = Setup<MODE>R(enc, skR, info, ...) return ctx.Open(aad, ct) I see no reason to comment on Single Shot APIs directly in "draft-rha-jose-hpke-encrypt". These HPKE internals are implementation details, similar to how JWE does not comment on deriveBits / deriveSecretKey, and yet implementations of JWE might use those APIs from web crypto internally. -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
- Re: [jose] HPKE Single Shot for Compact JWE Orie Steele
- [jose] HPKE Single Shot for Compact JWE Orie Steele
- Re: [jose] HPKE Single Shot for Compact JWE Ilari Liusvaara